I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I think the document is almost ready, although I would like some considerations of a potential attack through the customer equipment. I reviewed draft-ietf-mpls-egress-protection-framework-05, MPLS Egress Protection Framework. The document specifies a framework for implementing protection of an MPLS tunnel against failure of the egress router or the egress link. The implementation of the framework relies on the control functions of the MPLS network, and the security considerations correctly state that the security of the implementation relies on the security of these protocols. The security consideration also point out the need for special establishment of trust if the nodes involved are not under the same administrative authority. These general security considerations are correct, but I am concerned that the egress links between the MPLS network routers and the customer could also become a point of attack. Attackers that gain control of a customer's equipment might use it to simulate link failures and trigger the backup mechanism. They could do so in a coordinated fashion across a large number of customer equipments, to try overload the control plane or try create cascading effects in the network. It may well be that in the absence of the local backup mechanism, the attackers could mount the same type of attack and trigger an other type of control plane activity. The defenses against that might also defend against the attack listed in the previous paragraph. But it might be good to state it.